Professional Documents
Culture Documents
D2T3 - Keith Lee and Jonathan Werrett - Facebook OSINT
D2T3 - Keith Lee and Jonathan Werrett - Facebook OSINT
Keith Lee
Jonathan Werrett
Thursday, 17 October 13
INTRODUCTION
Keith Lee
Security Analyst, SpiderLabs, Singapore
klee@trustwave.com
http://github.com/milo2012/osintstalker
@keith55
Jonathan Werrett
Managing Consultant, SpiderLabs, Hong Kong
jwerrett@trustwave.com
@werrett
Thursday, 17 October 13
AGENDA
‣ Background / Motivation
‣ Introduction to GeoStalker and FBStalker tools
‣ Problem they solves
‣ GeoStalker in-depth
‣ FBStalker in-depth
‣ What you can do to protect yourself
Thursday, 17 October 13
MOTIVATION
Spend our days on “Penetration tests”
Day-in day-out
Thursday, 17 October 13
MOTIVATION
Spend our days on “Penetration tests”
Day-in day-out
Thursday, 17 October 13
BUT WAIT
Some times we get a real pentest
...
Thursday, 17 October 13
BUT WAIT
Some times we get a real pentest
...
Thursday, 17 October 13
OSINT Network
Names
Wigle.net
Wireless DB
Premise Geocoded
Google Lat / Lon
Details
Maps MAC
Addresses
Photos
Physical
Address Twitter
Places
Visited
Instagram
Whois /
IP Allocations Company Company
Domains Name
No. checkins
together
Checkins
Photos
LinkedIn No.
Facebook Target Friends comments
Profiles
Education
Background Age of
Likes friendship
Tagged No. tags
w/ ppl
Previous
Visited
Jobs
Thursday, 17 October 13
GEOSTALKER FBSTALKER
Takes Takes
‣ Location (address or coordinates) ‣ Facebook profile user
Provides Provides
‣ Wireless access points near-by ‣ Social engineering targets
‣ Photos taken at that location ‣ Associates of those targets
‣ Social media accounts of people who’ve ‣ Times online
visited ‣ Interests, commonly visited places
Thursday, 17 October 13
EXAMPLE OBJECTIVES
Entry Points
Google
Maps Photos
Facilities
Premise Twitter,
Geocode Instagram,
Recon? Lat / Lon 4sq, Flickr
Google Staff
Search
LinkedIn, Interests
Facebook
Phishing Staff
Targets?
Twitter,
Physical Geocode Instagram, Associates
Address Lat / Lon 4sq, Flickr
Thursday, 17 October 13
EXAMPLES FROM ENGAGEMENTS
Thursday, 17 October 13
EXAMPLES FROM ENGAGEMENTS
FB Apps
‣ Indicate phishing target uses mac
‣ Ditch our Windows based payloads for OSX
Thursday, 17 October 13
EXAMPLES FROM ENGAGEMENTS
FB Apps
‣ Indicate phishing target uses mac
‣ Ditch our Windows based payloads for OSX
FB Friends
‣ Identify targets wife
‣ Wife runs Pilates studio
‣ Spear phish wife based on Pilates
Thursday, 17 October 13
EXAMPLES FROM ENGAGEMENTS
FB Apps
‣ Indicate phishing target uses mac
‣ Ditch our Windows based payloads for OSX
FB Friends
‣ Identify targets wife
‣ Wife runs Pilates studio
‣ Spear phish wife based on Pilates
Instagram Photos
‣ Client was a power utility
‣ Staff target found via on photos from facilities
Thursday, 17 October 13
GEOSTALKER - INTRO
Requires
‣ Address
‣ Latitude / Longitude Coordinates
10
Thursday, 17 October 13
GEOSTALKER - APPLICATION FLOW
UserID
Geolocation
Data Source
geoStalker
11
Thursday, 17 October 13
DEMO
GEOSTALKER
12
Thursday, 17 October 13
GEOSTALKER - INPUT
13
Thursday, 17 October 13
GEOSTALKER - RUNNING
14
Thursday, 17 October 13
GEOSTALKER - RUNNING
15
Thursday, 17 October 13
GEOSTALKER - RUNNING
16
Thursday, 17 October 13
GEOSTALKER - RUNNING
17
Thursday, 17 October 13
GEOSTALKER - FOURSQUARE
18
Thursday, 17 October 13
GEOSTALKER - INSTAGRAM
19
Thursday, 17 October 13
GEOSTALKER - FLICKR
20
Thursday, 17 October 13
GEOSTALKER - HTML OUTPUT
21
Thursday, 17 October 13
GEOSTALKER - MALTEGO EXPORT
22
Thursday, 17 October 13
GEOSTALKER - LIMITATIONS
Single threaded
23
Thursday, 17 October 13
GEOSTALKER - FUTURE VERSIONS
24
Thursday, 17 October 13
FBSTAKLER - INTRO
Requires
‣ Profile Name
25
Thursday, 17 October 13
FBSTALKER - LOCKDOWN VS NON-LOCKDOWN
Lockdown Profile
‣ Unable to see the list of friends
‣ Reverse engineer the list of friends from likes and tags
Open Profile
‣ Analyze all friends of target and determine how two individuals are
connected or know each other.
‣ Work place
‣ School
‣ Common interests
‣ Common friends
‣ Places that two individuals like
26
Thursday, 17 October 13
FACEBOOK GRAPH KEYWORDS
UNDERSTAND HOW 2 INDIVIDUALS ARE CONNECTED / RELATED
Pages that Friend Photos that Friend
X and Y likes X and Y likes
1
27
Thursday, 17 October 13
FBSTALKER - GRAPH SEARCH EXAMPLE
28
Thursday, 17 October 13
FBSTALKER - GRAPH SEARCH EXAMPLE
29
Thursday, 17 October 13
DEMO
FBSTALKER
30
Thursday, 17 October 13
FBSTALKER - INPUT
31
Thursday, 17 October 13
FBSTALKER - RUNNING
32
Thursday, 17 October 13
FBSTALKER - MALTEGO EXPORT
33
Thursday, 17 October 13
FBSTALKER - PROBLEMS
Single threaded
34
Thursday, 17 October 13
FBSTALKER - FUTURE WORK
‣ Runs 100% headless
‣ Monitor changes / activities of user’s FB profile.
‣ Allow name as input instead of userid
‣ Point system for Association strength
‣ Photo Tags
‣ Check-ins
‣ Comments
‣ Post / Photo Likes
35
Thursday, 17 October 13
HOW TO PROTECT YOURSELF
Turn off ‘location’ setting in social networking apps
36
Thursday, 17 October 13
http://github.com/milo2012/osintstalker
klee@trustwave.com jwerrett@trustwave.com
@keith55 @werrett
Thursday, 17 October 13